Analysis
-
max time kernel
67s -
max time network
100s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 15:05
Static task
static1
Behavioral task
behavioral1
Sample
Document.pdf.exe
Resource
win7
Behavioral task
behavioral2
Sample
Document.pdf.exe
Resource
win10
General
-
Target
Document.pdf.exe
-
Size
1.6MB
-
MD5
e5c2661cc7e04e9e4c2085432e8ae062
-
SHA1
97e9e04ea1a585aeb22fd5765218f535c75b521f
-
SHA256
1e2fbd7c74b38c43c9ef42fa5d48b8ad50122d2be85ff927de0080d331cb9369
-
SHA512
5af3fb9b3ed2649ca7511f1e84f4e9695067ea50f1d496461ecd8f985d593863c9fade35be0254be5f4c11b4aecaba0326247c8bffff7317b49a35633d6f5d6c
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
loginwebs2019@yandex.com - Password:
stanbest123
Signatures
-
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Document.pdf.exepid process 3536 Document.pdf.exe 3536 Document.pdf.exe 3536 Document.pdf.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Document.pdf.exedescription pid process target process PID 3536 wrote to memory of 3800 3536 Document.pdf.exe MSBuild.exe PID 3536 wrote to memory of 3800 3536 Document.pdf.exe MSBuild.exe PID 3536 wrote to memory of 3800 3536 Document.pdf.exe MSBuild.exe PID 3536 wrote to memory of 3800 3536 Document.pdf.exe MSBuild.exe PID 3536 wrote to memory of 3800 3536 Document.pdf.exe MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Document.pdf.exedescription pid process target process PID 3536 set thread context of 3800 3536 Document.pdf.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 3800 MSBuild.exe 3800 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 3800 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Document.pdf.exepid process 3536 Document.pdf.exe 3536 Document.pdf.exe 3536 Document.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3800 MSBuild.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Document.pdf.exe"1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken